To Grow The Internet Of Things, Improve Security

The Internet of Things continues to grow rapidly, but concerns about security remain a significant barrier and are hindering the adoption of IoT devices.

Research by Bain & Company finds that enterprise customers would be willing to buy more IoT devices if their concerns about cybersecurity risks were addressed—on average, at least 70% more than what they might buy if their concerns remain unresolved. In addition, 93% of the executives we surveyed say they would pay an average of 22% more for devices with better security. Bain estimates that improving security solutions for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion in 2020.

For IoT device vendors—companies that make IoT devices as well as those that provide related solutions—the message is clear: Improve security to gain a competitive edge and expand your market.

Most executives surveyed (60%) say they are very concerned about the risks IoT devices pose to their companies—not surprising, given the damage that an IoT security breach can cause to operations, revenue and safety. When poorly protected, IoT devices can allow access to enterprise systems, resulting in large data breaches. For example, in January 2018, a Mirai malware variant called Okiru targeted ARC processors embedded in billions of IoT products.

Executives who manage security say they want solutions that are highly effective, easy to integrate and flexible to deploy. Companies take a range of approaches to meet their security needs based on their capabilities and the availability of marketplace solutions from vendors. Only about a third of IoT cybersecurity solutions used today are from IoT device vendors, indicating that vendors are either not offering holistic, high-quality solutions that meet consumer needs, or not promoting them well enough. Our research finds that companies with the most advanced cybersecurity capabilities rely more on internally developed security solutions, not only because they may have more complex needs but also because they are more likely to have the resources to develop their own solutions. As might be expected, companies with ad hoc security capabilities have the most gaps across all IoT layers that we tested (access interface, applications, data, hardware/operating system, network and operations).

We also looked at how companies deploy solutions by layer of security, and found ample opportunity for IoT device vendors at every layer of the stack. Our survey shows that the access interface layer has the greatest level of protection, whether internally developed or provided by a manufacturer or third party. Other layers of the stack are protected by more internal solutions—or, in some cases, none at all.

IoT device vendors and ecosystem players that move quickly to improve the security around IoT devices are likely to reap rewards, both from their ability to earn a premium and from an expanded market.

First, manufacturers need to understand how customers are using their devices. Refreshing their understanding of customer use cases every 12 to 18 months will allow them to stay on top of evolving security requirements and identify unmet needs. Ascertaining the average cybersecurity maturity level of their customers will help manufacturers invest in the appropriate out-of-the-box and add-on solutions.

Second, manufacturers should provide cybersecurity capabilities on the device and, when possible, partner with trusted cybersecurity vendors to offer additional solutions. Engineering teams should embed secure development practices into the software and hardware components of the device, and provide inherent solutions for the access interface, apps, data and device layers.

Third, manufacturers also need to meet quality assurance thresholds and be able to certify that their IoT devices are free from known vulnerabilities. This would mitigate a major pain point for customers, who sometimes install new devices without realizing they contain vulnerabilities. Deploying a more methodical process to identify and remove vulnerabilities across layers, or engaging third-party vulnerability scanning/penetration test firms, can help manufacturers meet this bar.

Finally, manufacturers can fulfill their obligations during the warranty period by continuously testing for new vulnerabilities and by providing software and firmware updates, as well as feature and functionality upgrades for out-of-the-box and aftermarket solutions. Delivering updates to firmware, operating systems and applications in response to newly discovered security vulnerabilities should remain a top priority throughout the warranty period.

These four steps are a start, though by no means all it will take to begin addressing the security concerns that are holding back adoption of IoT devices. While growth in IoT markets seems destined to continue its inexorable march, many enterprise customers will continue to move cautiously until they can gain some reasonable assurance of security—not only of their data but also of the operations that increasingly rely on devices, sensors and the Internet of Things.

Syed Ali is an expert vice president with Bain & Company in Houston. Ann Bosche is a partner with Bain in San Francisco, and Frank Ford is a Bain partner in London. Syed and Frank work with Bain’s Global Information Technology practice, and Ann works with Bain’s Global Technology practice.